US7724904B2ExpiredUtilityPatentIndex 84
Authentication system and method thereof in a communication system
Est. expiryJul 2, 2025(expired)· nominal 20-yr term from priority
H04L 9/0844H04L 2463/061H04L 63/162H04L 63/08H04L 9/083H04W 12/06H04L 63/061H04L 9/14H04W 12/04H04W 12/041H04W 12/069
84
PatentIndex Score
11
Cited by
19
References
16
Claims
Abstract
An authentication method and system in a communication system are provided. An MS, a BS and an AAA server acquire a first MSK by a first EAP authentication for the MS in an EAP-in-EAP scheme. After the first EAP authentication, they acquire a second MSK by a second EAP authentication for the MS in the EAP-in-EAP scheme.
Claims
exact text as granted — not AI-modified1. An authentication method in a communication system, comprising:
acquiring a first master session key (MSK) by a first Extensible Authentication Protocol (EAP) authentication for a mobile station (MS) in an EAP-in-EAP scheme by the MS, a base station (BS), and an authorization, authentication and accounting (AAA) server;
acquiring a second MSK by a second EAP authentication for the MS in the EAP-in-EAP scheme by the MS, the BS and the AAA server, after the first EAP authentication; and
generating an authorization key (AK) using the first MSK and the second MSK by the MS and the BS;
wherein generating the AK comprises generating a first pairwise master key (PMK) using the first MSK, generating a second PMK using the second MSK, and generating the AK using the first PMK and the second PMK.
2. The authentication method of claim 1 , wherein generating the first PMK generation step comprises generating the first PMK by truncating the first MSK.
3. The authentication method of claim 2 , wherein generating the second PMK comprises truncating the second MSK.
4. The authentication method of claim 3 , wherein the step of generating the AK using the first PMK and the second PMK comprises generating the AK using an XOR of the first PMK and a second PMK and a concatenation of the identifier (ID) of the MS and the ID of the BS.
5. The authentication method of claim 3 , wherein the step of generating the AK using the first PMK and the second PMK comprises generating the AK by applying the first PMK and the second PMK to
AK= Dot16 KDF ( PMK⊕PMK 2 ,SSID\BSID\‘AK’, 160)
where Dot 16KDF is an AK generation function, PMK is the first PMK, PMK 2 is the second PMK, SSID is the ID of the MS, BSID is the ID of the BS, ‘AK’ is the AK generated by the Dot 16KDF, and 160 denotes the length of the AK, 160 bits.
6. The authentication method of claim 3 , wherein generating the AK using the first PMK and the second PMK comprises generating the AK using the first PMK and a concatenation of the second PMK, the ID of the MS, and the ID of the BS.
7. The authentication method of claim 3 , wherein generating the AK using the first PMK and the second PMK comprises generating the AK by applying the first PMK and the second PMK to
AK= Dot16 KDF ( PMK,SSID\BSID\PMK 2 ‘AK’, 160)
where Dot 16KDF is an AK generation function, PMK is the first PMK, PMK 2 is the second PMK, SSID is the ID of the MS, BSID is the ID of the BS, ‘AK’ is the AK generated by the Dot 16KDF, and 160 denotes the length of the AK, 160 bits.
8. An authentication system in a communication system, comprising:
a mobile station (MS) for acquiring a first master session key (MSK) by performing a first Extensible Authentication Protocol (EAP) authentication in an EAP-in-EAP scheme with a base station (BS) and an authorization, authentication and accounting (AAA) server, and acquiring a second MSK by performing a second EAP authentication in the EAP-in-EAP scheme with the BS and the AAA server, after the first EAP authentication;
the AAA server for acquiring the first MSK by performing the first EAP authentication with the MS and the BS and acquiring the second MSK by performing the second EAP authentication with the MS and the BS; and
the BS for acquiring the first MSK by performing the first EAP authentication with the MS and the AAA server and acquiring the second MSK by performing the second EAP authentication with the MS and the AAA server;
wherein the MS and the BS generate an authorization key (AK) using the first MSK and the second MSK; and
wherein the MS and the BS generate a first pairwise master key (PMK) using the first MSK, generate a second PMK using the second MSK, and generate the AK using the first PMK and the second PMK.
9. The authentication system of claim 8 , the MS and the BS generate the first PMK by truncating the first MSK.
10. The authentication system of claim 9 , wherein the MS and the BS generate the second PMK by truncating the second MSK.
11. The authentication system of claim 10 , wherein the MS and the BS generate the AK using an XOR of the first PMK and a second PMK and a concatenation of the identifier (ID) of the MS and the ID of the BS.
12. The authentication system of claim 10 , wherein the MS and the BS generate the AK by applying the first PMK and the second PMK to
AK =Dot16 KDF ( PMK⊕PMK 2 ,SSID\BSID\‘AK’, 160)
where Dot 16KDF is an AK generation function, PMK is the first PMK, PMK 2 is the second PMK, SSID is the ID of the MS, BSID is the ID of the BS, ‘AK’ is the AK created by the Dot 16KDF, and 160 denotes the length of the AK, 160 bits.
13. The authentication system of claim 10 , wherein the MS and the BS generate the AK using the first PMK and a concatenation of the second PMK, the ID of the MS, and the ID of the BS.
14. The authentication system of claim 10 , wherein the MS and the BS generate the AK by applying the first PMK and the second PMK to
AK =Dot16 KDF ( PMK,SSID\BSID\PMK 2 ‘AK’, 160)
where Dot 16KDF is an AK generation function, PMK is the first PMK, PMK 2 is the second PMK, SSID is the ID of the MS, BSID is the ID of the BS, ‘AK’ is the AK created by the Dot 16KDF, and 160 denotes the length of the AK, 160 bits.
15. The authentication method of claim 1 , wherein the first authentication is device authentication, and the second authentication is user authentication.
16. The authentication system of claim 8 , wherein the first authentication is device authentication, and the second authentication is user authentication.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.